{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-53742", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-08T01:18:04.278Z", "datePublished": "2025-12-08T01:19:00.778Z", "dateUpdated": "2025-12-08T01:19:00.778Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-08T01:19:00.778Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcsan: Avoid READ_ONCE() in read_instrumented_memory()\n\nHaibo Li reported:\n\n | Unable to handle kernel paging request at virtual address\n | ffffff802a0d8d7171\n | Mem abort info:o:\n | ESR = 0x9600002121\n | EC = 0x25: DABT (current EL), IL = 32 bitsts\n | SET = 0, FnV = 0 0\n | EA = 0, S1PTW = 0 0\n | FSC = 0x21: alignment fault\n | Data abort info:o:\n | ISV = 0, ISS = 0x0000002121\n | CM = 0, WnR = 0 0\n | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000\n | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003,\n | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707\n | Internal error: Oops: 96000021 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted\n | 5.15.78-android13-8-g63561175bbda-dirty #1\n | ...\n | pc : kcsan_setup_watchpoint+0x26c/0x6bc\n | lr : kcsan_setup_watchpoint+0x88/0x6bc\n | sp : ffffffc00ab4b7f0\n | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001\n | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80\n | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71\n | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060\n | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000\n | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0\n | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8\n | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007\n | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70\n | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000\n | Call trace:\n | kcsan_setup_watchpoint+0x26c/0x6bc\n | __tsan_read2+0x1f0/0x234\n | inflate_fast+0x498/0x750\n | zlib_inflate+0x1304/0x2384\n | __gunzip+0x3a0/0x45c\n | gunzip+0x20/0x30\n | unpack_to_rootfs+0x2a8/0x3fc\n | do_populate_rootfs+0xe8/0x11c\n | async_run_entry_fn+0x58/0x1bc\n | process_one_work+0x3ec/0x738\n | worker_thread+0x4c4/0x838\n | kthread+0x20c/0x258\n | ret_from_fork+0x10/0x20\n | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) )\n | ---[ end trace 613a943cb0a572b6 ]-----\n\nThe reason for this is that on certain arm64 configuration since\ne35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire when\nCONFIG_LTO=y\"), READ_ONCE() may be promoted to a full atomic acquire\ninstruction which cannot be used on unaligned addresses.\n\nFix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply\nforcing the compiler to do the required access by casting to the\nappropriate volatile type. In terms of generated code this currently\nonly affects architectures that do not use the default READ_ONCE()\nimplementation.\n\nThe only downside is that we are not guaranteed atomicity of the access\nitself, although on most architectures a plain load up to machine word\nsize should still be atomic (a fact the default READ_ONCE() still relies\non itself)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/kcsan/core.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "706ae665747b629bcf87a2d7e6438602f904b8d5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "75c03a8cfc731519236f08c34c7e029ae153a613", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f8f2297355513e5e0631e604ef9d7e449c7dcd00", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8dec88070d964bfeb4198f34cb5956d89dd1f557", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/kcsan/core.c"], "versions": [{"version": "6.1.28", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.15", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.2", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.28"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.2.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.3.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/706ae665747b629bcf87a2d7e6438602f904b8d5"}, {"url": "https://git.kernel.org/stable/c/75c03a8cfc731519236f08c34c7e029ae153a613"}, {"url": "https://git.kernel.org/stable/c/f8f2297355513e5e0631e604ef9d7e449c7dcd00"}, {"url": "https://git.kernel.org/stable/c/8dec88070d964bfeb4198f34cb5956d89dd1f557"}], "title": "kcsan: Avoid READ_ONCE() in read_instrumented_memory()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcsan: Avoid READ_ONCE() in read_instrumented_memory()\n\nHaibo Li reported:\n\n | Unable to handle kernel paging request at virtual address\n | ffffff802a0d8d7171\n | Mem abort info:o:\n | ESR = 0x9600002121\n | EC = 0x25: DABT (current EL), IL = 32 bitsts\n | SET = 0, FnV = 0 0\n | EA = 0, S1PTW = 0 0\n | FSC = 0x21: alignment fault\n | Data abort info:o:\n | ISV = 0, ISS = 0x0000002121\n | CM = 0, WnR = 0 0\n | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000\n | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003,\n | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707\n | Internal error: Oops: 96000021 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted\n | 5.15.78-android13-8-g63561175bbda-dirty #1\n | ...\n | pc : kcsan_setup_watchpoint+0x26c/0x6bc\n | lr : kcsan_setup_watchpoint+0x88/0x6bc\n | sp : ffffffc00ab4b7f0\n | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001\n | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80\n | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71\n | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060\n | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000\n | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0\n | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8\n | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007\n | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70\n | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000\n | Call trace:\n | kcsan_setup_watchpoint+0x26c/0x6bc\n | __tsan_read2+0x1f0/0x234\n | inflate_fast+0x498/0x750\n | zlib_inflate+0x1304/0x2384\n | __gunzip+0x3a0/0x45c\n | gunzip+0x20/0x30\n | unpack_to_rootfs+0x2a8/0x3fc\n | do_populate_rootfs+0xe8/0x11c\n | async_run_entry_fn+0x58/0x1bc\n | process_one_work+0x3ec/0x738\n | worker_thread+0x4c4/0x838\n | kthread+0x20c/0x258\n | ret_from_fork+0x10/0x20\n | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) )\n | ---[ end trace 613a943cb0a572b6 ]-----\n\nThe reason for this is that on certain arm64 configuration since\ne35123d83ee3 (\"arm64: lto: Strengthen READ_ONCE() to acquire when\nCONFIG_LTO=y\"), READ_ONCE() may be promoted to a full atomic acquire\ninstruction which cannot be used on unaligned addresses.\n\nFix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply\nforcing the compiler to do the required access by casting to the\nappropriate volatile type. In terms of generated code this currently\nonly affects architectures that do not use the default READ_ONCE()\nimplementation.\n\nThe only downside is that we are not guaranteed atomicity of the access\nitself, although on most architectures a plain load up to machine word\nsize should still be atomic (a fact the default READ_ONCE() still relies\non itself)."}], "id": "CVE-2023-53742", "lastModified": "2025-12-08T02:15:49.380", "metrics": {}, "published": "2025-12-08T02:15:49.380", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/706ae665747b629bcf87a2d7e6438602f904b8d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75c03a8cfc731519236f08c34c7e029ae153a613"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8dec88070d964bfeb4198f34cb5956d89dd1f557"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f8f2297355513e5e0631e604ef9d7e449c7dcd00"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}